From owner-freebsd-net  Mon May 29 14:32:45 2000
Delivered-To: freebsd-net@freebsd.org
Received: from campbell.cwx.net (Campbell.cwx.net [216.17.176.12])
	by hub.freebsd.org (Postfix) with ESMTP id 1BD9C37B603
	for <freebsd-net@freebsd.org>; Mon, 29 May 2000 14:32:40 -0700 (PDT)
	(envelope-from allenc@campbell.cwx.net)
Received: (from allenc@localhost)
	by campbell.cwx.net (8.9.3/8.9.3) id PAA22232
	for freebsd-net@freebsd.org; Mon, 29 May 2000 15:32:38 -0600 (MDT)
	(envelope-from allenc)
Date: Mon, 29 May 2000 15:32:38 -0600 (MDT)
From: Allen Campbell <allenc@campbell.cwx.net>
Message-Id: <200005292132.PAA22232@campbell.cwx.net>
To: freebsd-net@freebsd.org
Subject: natd: failed to write packet back: Permission denied
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Natd is reporting:
natd: failed to write packet back: Permission denied

I have traced this to an interaction between Samba and natd.  Samba
appears to be broadcasting to the lo0 interface.  I have configured
smb.conf with `bind interfaces only = true' to the internal Ethernet
interface and the loopback interface to prevent broadcasts to the
ISP subnet.  It doesn't surprise me to see Samba performing broadcasts
on the configured interfaces.  I want Samba on lo0 for the password
change facility.

I have found that natd is translating Samba broadcasts to the
loopback interface into packets with the source address of the
divert socket interface.  Output from natd -v is shown here
(216.17.176.12 is the external interface IP address):

Out [UDP]  [UDP] 127.0.0.1:137 -> 127.255.255.255:137 aliased to
           [UDP] 216.17.176.12:137 -> 127.255.255.255:137
natd: failed to write packet back: Permission denied

My ipfw setup, based largely on /etc/rc.firewall, stops such packets.
The relevant parts of the ipfw configuration is shown here:

(dc0 = external interface)
00100 divert 8668 ip from any to any via dc0
00200 allow ip from any to any via lo0
00300 deny ip from any to 127.0.0.0/8
[ ... ]

My question is; Why is natd interfering with the lo0 broadcast
packets?  The divert socket is specific to the external interface
(dc0) and the lo0 broadcast packets are clearly from and to the
loopback interface.  I'm not an IP guru so I don't fully understand
the implications of broadcasting to the loopback interface.  Perhaps
this is normal behavior for natd.  What approach should I take?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message